On Nov 4, 2004, at 8:00 AM, Joe Gregorio wrote:
Malicious user X produces an Atom feed served with an X-Atom-Error header.
Malicious user X could change their X-Atom-Error header to point to someone elses URI (it could be /their/ Error URI or it could be a completely different service). Either way Malicious user X then intentionally forces their Atom feed to be invalid, thus causing all the subscribers to X Atom's feed to hit that unrelated service.
Of course, for this to work, Mr. Malicious has to have built up enough subscribers to his feed to cause a problem. And in this case, he would quickly be caught, it would be totally traceable. Consider the case of my feed, with maybe 10,000 subscribers of whom more are coming through Bloglines all the time. How much main could I inflict? Quite a lot actually, if I put my mind to it, but not by Atom ServiceError hacking. -Tim
